White Label CMS <= 1.5.2 - Stored XSS

Sign up to our free email alerts service for instant vulnerability notifications!

Description
Due to a lack of CSRF protection, and lack of sanitation of user input, it is possible to trigger a Persistent XSS attack via a CSRF attack. This attack targets in particular the Import functionality, which is located in the ‘wlcmsImport’ function, within the file ‘/white-label-cms/wlcms-plugin.php’. The path to execution is in the addition of the hook to the ‘admin_menu’ action, to the ‘wlcms_add_admin’ function. The ‘wlcms_add_admin’ function allows triggering of the ‘wlcmsImport’ function simply by providing an action parameter, with the value of ‘import’.

Due to the lack of CSRF, it is possible – if an administrative user can be tempted to visit a malicious site – to inject HTML which will be displayed to all users, depending on the template in use, in the form of a custom IMG element. Providing an invalid URL to this element, and utilizing the ‘onerror’ event, custom JS can be triggered, which can result in Privilege Escalation. The default WordPress template will trigger the XSS on all pages of the site, as will the default WordPress Administrative theme. This is made possible thanks to the ability to import wlcms options via the import functionality, overwriting current options.
Proof of Concept
The below snippet of Javascript, when executed by an administrative user of the target site (in this case, http://localhost) who is logged in will result in a Persistent XSS attack being triggered, via the import functionality of the White Label CMS plugin. The result, is an alert with the value of ‘1’ being displayed to all users of the site, depending on the template in use (default WordPress template will result in XSS being triggered on all pages). Note, that the ‘wlcms_o_adminbar_custom_logo’ is not the only option susceptible to a Persistent XSS attack, but is the only one used in this PoC.

Note: This PoC only appears to work in Firefox, however it should be possible to apply the same logic to a PoC in Chrome, and other browsers that support navigator

navigator.sendBeacon(q='http://localhost/wp-admin/options-general.php?page=wlcms-plugin.php&action=import',_=new FormData,_.append('wlcms_import',new Blob(['a:1:{s:28:"wlcms_o_adminbar_custom_logo";s:21:"\\" onerror=\\"alert(1)";}'])));

Affects

Plugin white-label-cms
fixed in version 1.5.3

References

URL https://research.g0blin.co.uk/g0blin-00047/

Classification

Type XSS
OWASP Top 10 A3: Cross-Site Scripting (XSS)
CWE CWE-79

Miscellaneous

Submitter James Hooker
Submitter Website https://research.g0blin.co.uk
Submitter Twitter g0blinResearch
Views 128
Verified No
WPVDB ID 7952

Timeline

Publicly Published 2015-04-29 (over 1 year ago)
Added 2015-04-29 (over 1 year ago)
Last Updated 2015-05-15 (over 1 year ago)

Copyright & License

Copyright All data and resources contained within this page and this web site is Copyright © The WPScan Team.
License Some of this data may be used for non-commercial purposes, however, any potential commercial usage of this data will require a license. If you would like to inquire about a commercial license please contact us.